Execution Policy
PowerShell · Reference cheat sheet
Execution Policy
PowerShell · Reference cheat sheet
📋 Overview
Execution policy is a safety gate controlling which scripts can run—not a security boundary. Policies differ by scope (Process, CurrentUser, LocalMachine). Prefer RemoteSigned for interactive machines; use process-scoped bypasses for CI without changing machine policy.
🔧 Core concepts
| Policy | Effect |
|---|---|
Restricted | No scripts |
AllSigned | Only signed scripts |
RemoteSigned | Local OK; downloaded need signature |
Unrestricted | Warn on remote; run |
Bypass | Nothing blocked |
Undefined | Defer to other scopes |
| Scope | Typical use |
|---|---|
Process | Current session only |
CurrentUser | Per-user registry |
LocalMachine | Machine-wide (admin) |
Zone Identifier alternate data streams mark “downloaded” files on Windows.
💡 Examples
Inspect and set:
Get-ExecutionPolicy -List
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserOne-off bypass (CI / troubleshooting):
pwsh -ExecutionPolicy Bypass -File .\deploy.ps1
Set-ExecutionPolicy Bypass -Scope ProcessUnblock downloaded file:
Unblock-File -Path .\Install-Thing.ps1
Get-Item .\Install-Thing.ps1 -Stream *⚠️ Pitfalls
- Execution policy does not stop a determined user (
powershell -Command, bypass, copying contents). - Group Policy may override your
Set-ExecutionPolicy—check-List. - USB/network files may still be treated as remote.
- Signing requires certificates and maintenance—don’t adopt
AllSignedcasually. - On non-Windows, policies are largely
Unrestricted/ less relevant—still use-Filecarefully. - Don’t set
LocalMachineBypass on shared workstations without need.